Sapphire Werewolf has introduced a potent new weapon into its cyber arsenal, unveiling the latest iteration of the Amethyst stealer in a calculated phishing attack against an energy firm.
According to the Report, the operation cunningly disguises a malicious payload as a mundane HR memo.
The threat actor begins its attack with a fraudulent email, purporting to come from an HR department.
.png
)
Attached is what appears to be an ‘official memo archive’ in a .rar file (Служебная записка .rar), containing an executable (Служебная записка .exe) masquerading as a PDF document.
This file, written in C# and shielded with .NET Reactor, serves less as a document and more as a loader for a sophisticated piece of malware.
Advanced Evasion Techniques
Amethyst’s enhancements in version control and evasion techniques are exceptionally noteworthy:
- VM Detection: The stealer has integrated numerous checks to confirm if the compromised environment is virtual, including:
- Examining specific file descriptors typical to VirtualBox VMs.
- Checking for VMware Tools installation through registry keys.
- Investigating hardware details like the manufacturer and model via WMI.
- Looking for signatures of virtualization through the processor, motherboard details, and BIOS serial number.
- Performing detailed hardware checks, including disk model and ID and plug-and-play devices.
- Verifying and analyzing services running on the system for signs of a VM.
- Checking when VM-related registry keys were last modified to identify if evasion policies have been enforced.
- Triple DES Encryption: A significant shift in string encryption, where Amethyst employs Triple DES, a symmetric encryption algorithm typically used for securing electronic data transmissions. Unlike prior versions, where encryption covered the entire payload, this version encrypts nearly every string that feeds into function calls, ensuring that only minimal, obfuscated data remains in memory.
Extraction and Exfiltration
The Amethyst stealer’s scope of operation is equally formidable:
- Stealing Credentials: The malware targets credentials from Telegram, an array of browsers including Chrome, Opera, Yandex, Brave, Orbitum, Atom, Kometa, and Edge Chromium, as well as FileZilla and SSH clients. It extends its reach to remote desktop protocols and VPN clients’ configuration data, looking for stored credentials and sensitive documents on both local and removable storage mediums.
- Data Staging and Compression: Post-data collection, Amethyst stashes the stolen data in a specific folder on the infected system. Here, it utilizes Ionic’s Zip Library to compress the information into a manageable package. It proceeds to upload the compressed data to a C2 server, sending along the system’s IP address and a string indicating whether the machine is virtual or not.
- Decoy Content: To further mislead, Amethyst extracts and displays a decoy PDF document, perhaps to lull the victim into a false sense of security.
Indicators of Compromise
Several indicators can be used to identify infections:
- Hashes:
- 93d048364909018a492c8f709d385438
- 94034e04636bc4450273b50b07b45f636ff59b05
- 4149b07d9fdcd04b34efa0a64e47a1b9581ff9d1f670ea552b7c93fb66199b5f
- C2 URLs:
- hxxp://canarytokens.com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments.js
- wondrous-bluejay-lively.ngrok-free.app
The enhancement of Sapphire Werewolf’s capabilities to target the energy sector with such advanced tools indicates a deliberate escalation in their operations.
This development calls for a corresponding escalation in defensive measures:
- Suspicious Execution: Organizations should be vigilant for signs of suspicious executables being run from unusual locations like the %Temp% folder or with names resembling system files from unexpected directories.
- Unusual Scheduled Tasks: Detecting the creation of atypical scheduled tasks can provide early warning signals.
- Access to Sensitive Files: Monitoring for unexpected access to sensitive files through processes that do not usually interact with such data.
The deployment of Amethyst by Sapphire Werewolf underlines the importance of heightened cybersecurity measures, particularly in critical infrastructure like energy sectors.
Organizations are advised to implement comprehensive EDR rules, vigilant monitoring, and robust endpoint protection to detect and mitigate such sophisticated threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
